A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
↑ Return to Top
serviceclass/host:port servicename
serviceclass and host are required, but port and service name are optional. The colon between host and port is only required when a port is present.
See the following table for a description of each element in the command above:
Element
Description
Examples of SPN registrations:
Notes You only need to specify a port when a non-default port is used for the service. See Port Numbers for a list of assigned port numbers. The NetLogon service registers the default SPNs for the base operating system and refreshes those every 22 minutes after operating system startup.
Notes
SetSPN is the application used to manage SPNs for Windows computers. With SetSPN, you can, view, edit, and delete SPN registrations. The command syntax follows:
Setspn serviceclass/host:portnumber servicename
For example, to register the FIMService on the standard port (meaning you don't have to specify the port number) on a computer named FIMSVR in a domain named contoso.com that is using a service account named FIMService, use the following command:
setspn -s FIMService/FIMSVR.contoso.com CONTOSO\FIMService
The switch -s adds the SPN after verifying that there are no duplicates. To see a list of the SetSPN switches, you can run the command setspn /?
To register the http service on the standard port on a computer named CES1 in the corp.contoso.com domain using a service account named CES, use the following command:
setspn -s http/CES1.corp.contoso.com CORP\CES
To check the SPNs that are registered for a specific computer using that computer, you can run the following commands from a command prompt:
The SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service’s SPN to differentiate it from other services running on that computer.
The following error event in the Directory Service log of a domain controller can appear when SPN issues are present:
Additional errors that may be seen related to SPN issues:
See also Kerberos and LDAP Error messages.
To add an SPN, run the following command at a command prompt:
setspn -s serviceClass/Host:Port AccountName
To delete an SPN, run the following command at a command prompt:
setspn -d ServiceClass / Host : Port AccountName
For example, to remove the SPN for service account name NdesSVC that was granted HTTP protocol access to a computer named NDES1 in the Proseware.com domain, you could run the following command: setspn -d HTTP/Ndes1.proseware.com proseware\NdesSvc
To reset the default SPN registrations for the host names for an account, run the following command at a command prompt:
setspn -r AccountName
For example, to reset the SPN registrations for KHWIN7, run the command: setspn -r KHWIN7
For example, to reset the SPN registrations for KHWIN7, run the command:
setspn -r KHWIN7
Caution: Although you can use Setspn -A, you should use Setspn -S instead because -S will verify that there are no duplicate SPNs. However, if you are using Windows Server 2003 or earlier, you will not be able to use the -S switch, unless you've updated to the new SetSPN version from KB 970536 (http://support.microsoft.com/kb/970536). In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L. If you are using the updated version of Setspn then find duplicates by using Setspn -x and Setspn -x -f to search across the entire forest.
Few SPN problems start with SPN registration being identified as the root cause. More commonly people see something along the lines of invalid credentials, access denied, unauthorized, authentication failure, or something that appears related to a permissions error. Why? SPNs are required by services that use Kerberos and Kerberos is about providing authentication and authorization. Kerberos authentication is not possible for services when SPNs are not correctly configured. SPNs uniquely identify services running on servers, so when an SPN is missing from a computer account, the user often sees an authentication, credential, permission, or access error message.
If you discover an SPN registration issue, you can use the SetSPN command to help resolve it. You can try to reregister all the SPNs for the host that is failing to register:
setspn -R hostname
For example, to reregister all the SPNs for a host named server7, you could run the command:
setspn -R Server7
However, there are cases when you need to register an SPN manually. For example, Microsoft KB article 308111 discusses a situation where domain controllers are not replicating because there is a missing SPN. That article focuses on Event ID 1645 appearing in the Event Viewer. However, you may discover missing SPNs by running the command DCDIAG /s:servername /c /v, which tests the critical services on a domain controller. For example, assume there is a domain controller named DC2 in the Fabrikam.com domain. To test the critical services on the domain controller with verbose output, you can run the command:
dcdiag /s:dc2.fabrikam.com /v /c > dcdiag.txt
That command outputs the diagnostic information to the file dcdiag.txt in the directory from which the command was run. Then, you can use notepad to open the file by running the command:
notepad dcdiag.txt
You could then search the file for issues. One issue you might find during the diagnostic is a "Missing SPN" entry during the MachineAccount test, as shown in the following figure.
You could manually register the SPN, using SETSPN or in this specific case use the "dcdiag.exe /fix" command. "dcdiag.exe /fix" will write back the computer account's AD replication SPN. You may also try restarting the domain controller or NTDS service. For example, if you are using a Windows Server 2008 or Windows Server 2008 R2 server, you could restart NTDS by running the following command
net stop ntds && net start ntds
To manually register the SPN that is shown as missing in the figure above, you would enter the command shown in the following figure.
The command from the figure is:
setspn -S E351-4B06-11D1-AB04-00C0FC2DCD2/d89500-a9dc-496d-bf40-775130ec147a/fabrikam.com DC2
If a computer is unable to verify the SPN of a computer, a connection request may be denied or fail. For example, one error you might encounter is -2146893022 the target principal name is incorrect. This could be the result of a name resolution issue (DNS or hosts files), duplicate, or missing SPN. You can try running the following command on a domain controller displaying such an error: dcdiag /test:checksecurityerror
That command will check for missing and duplicate SPNs as well as other errors. When troubleshooting these issues, you should be sure to verify DNS connectivity. See Troubleshooting DNS (Chapter 13) and Troubleshooting DNS (on TechNet) for additional details.
Once you have SPNs in place, there's an additional tab available in the ADDS users and computers mmc where you can choose delegation settings.
See Kerberos authentication and delegation: ServicePrincipalNames for more info
See the following articles for more information on registration and troubleshooting SPN issues
SPN formatting and registration
Specific SPN Issues and Resolutions
Geert Baeten edited Revision 49. Comment: Added little bit of info about delegation settings but needs more work...
Kurt L Hudson edited Revision 44. Comment: Added an example for deleting an SPN
Richard Mueller edited Revision 43. Comment: Added "Return to Top"
Richard Mueller edited Revision 42. Comment: Make headers bold
Richard Mueller edited Revision 41. Comment: Format header lines, fix HTML
Fernando Lugão Veltem edited Revision 40. Comment: added toc
Mike Kline edited Revision 39. Comment: Added AskPFE blog entry and setspn -x info
FZB edited Revision 38. Comment: typo
FZB edited Revision 37. Comment: formating
FZB edited Revision 36. Comment: formating
Kurt Hudson MSFT edited Revision 26. Comment: Removed in the contoso.com domain, since that was not relevant for the example.
Kurt Hudson MSFT edited Revision 27. Comment: Add the command from the figure, so people can see it if the imagine does not appear for them.
Kurt Hudson MSFT edited Revision 28. Comment: Added two additional references and went through links to make them open in new windows
Kurt L Hudson edited Revision 29. Comment: Updated with some information from Arren Conner and CSS
Kurt L Hudson edited Revision 31. Comment: Added another example and put more detail in the FIM example
Kurt L Hudson edited Revision 32. Comment: updated with new guidance about SetSPN -s and reference about duplicate SPNs
Kurt L Hudson edited Revision 33. Comment: updated to mention KB 970536
Kurt L Hudson edited Revision 34. Comment: fixing formatting and links
FZB edited Revision 35. Comment: typo